tv Politics Public Policy Today CSPAN November 15, 2013 4:59pm-5:30pm EST
when they log on, is their data, all of their personally identifiable information, is that as secure as if nay do online banking? >> it was designed, implemented -- >> i mean, that's a yes or no question. >> it was design ed, implemente and tested to be secure. >> so it was fully tested. >> best practices are a complete
sbhe grated testing. is that yekt? it is tested and prescribed under the fisma framework and nist controls that are specified as a standard. >> so why did your office -- why did your boss resign? >> he didn't resign. i think he decided to make a career change. >> i think it was a fantastic time to high tail it out. so let me ask another question. maryland signed the authority to operate memorandum. traditionally, would your office sign a memorandum? or have you signed previous memorandums on authority to operate? >> myself, i have not. has your boss? or previous boss? >> not that i know of. but i do not manage the ato
sign-off process that's done between the chief information officer or the chief security officer. >> and they would do it, not the cms administrator? i think you would have to ask them. >> do you still standby that statement is this. >> thank you for the question. whavgs specifically referring to -- >> mr. chairman, i ask unanimous consent to submit this for the record. have you seen this usa today -- >> without objection, so orterred. and the question is on the statement, not on what you would want someone else to believe today.
>> these bugs were functions of volume. take away the volume and it works. do you still standby that? >> i standby the fact that the bugs the reporter was referring to, which were issues up front, were, in fact, functions of vol youm. what i will say now, based on vol youm, also afegted by particular functionality bugs, which have been fixed. most have been fixed, along with capacity expansion. >> so let me tell you a story. i've got a woman named sue who logged on. she did not fill out her middle initial. she got a processing error. she went back to try to fix it. put in a middle initial. she had to wait 48 hours to get another update. tumps out that her income was not verifiable because she put in a monthly income.
she calls the navigator. the navigator says yeah, we've got some problems with that, maybe you can do it on an ann l annualized basis. she couldn't get back into the system and has to kocall back f another navigator. so let me try to analyze income and pit it on the back end. she's still waiting. she started on october 1st. she's still waiting to be successfully logged in. to this web site you said has -- these bugs were functions of volume. take away the volume and it works. this is such a deeply flawed data rollout. and my constituents are most likely concerned about their data being stolen. >> mr. park, you can answer if you see a question there. >> that would be great.
thank you. so i was actually talking specifically about issues with account creation. there are issues downstream, as well. and, again, each time i speak with you, each time i speak, i will relay the best understanding i have and tripe to be as precise as i can be. >> all right, thank you. >> we now go to the gentleman from virginia. >> thank you, mr. chairman. let me begin on a bipartisan note. mr. chairman, you and i helped write, joining together the fatar act requiring reform of it acquisition, federal it ak wi zirgs. you seem to have been equivocal, maybe? at our last meeting in january when you're just about here. but i want to read you a statement by the president of the united states. he said, just recently, one of the lessons learned from this whole process on the web site,
is that probably the biggest fwap between the private sector and the federal government is when it comes to it. how we procure it and how we purchase it. would the gentleman yield? >> of course. >> i couldn't agree with you more that,in fact, one of the lessons that i hope all of us take out of this hearing today is that we've two people from the private sector who know that they would never do a process like this one was done. and yours and my legislation is really about trying to create at least a monokem of similarity in it procurement in the federal government the way it is done in the private sector. and i thank the gentleman for his comments. >> i thank the chairman. >> so i commend mr. van rurks
unkle the statement to the boss. >> you were prempbted with a doochlt thattive not seen before. it was presented by your boss, is that correct? >> correct. >> the ribly can staffers told you that this document indicated that there were two open, high risk findings in the federally facilitated market place laumplged october 1. is that correct? >> correct. >> it was dated from september 3rd and it was referring to two parts of the system that were already -- >> you're jumping ahead of me. we're going to get there.
staffers continue to give you questions and then leak it to cbs news. is that correct? >> seems correct. >> since that interview, have you had a chance to follow up on your suggestion to check with cfs officials? >> i've had some discussions about the nature of the high findings that were in the document. >> and this document, it turns out, discusses only the risks associated with two modules. one for dental plans and one for the qualified health department plans. is that correct? >> yes. and neither of those modules is active right now.
stakt? >> that's correct. >> so the september 3rd document did, in fact, not apply to the entirely facilitated marketplace despite the as of the leak to cbs,knot withstanding. >> that's correct. >> and these modules allow them to submit health care information to the police station. is that correct. >>. >> correct. so to be clear, these modules don't transmit any specific user information. is that correct? >> correct. >> so when cbs evening news ran its evening report based on a leak, presumingly from the majority staff, which we don't know, of a partial transcript, they said the security issues raised in the document could
lead to identify theft among buying insurance, that cannot be true based ond what we just established in our back and forth. is that correct? >> that's correct. i think there was some rearra e rearrangement in how it was portrayed. so just to summarize, it will not relate to parts that were active. they did not relate to any part of the system that handles personal consumer information. and there was, in fact, no possibility of identity theft despite the leak. >> correct. >> thank you, mr. chao, i yield back. >> woul the jebtle man yield? have you read the november 6th letter from the ranking member to me? >> yes, in facts, i think i co-sined that letter. >> oh, that's good. even today there are significant security leaks that the ranking
member was concerned if discovered,would allow people to take the security information. that was cautioned by you not to let that out. susan, i will caution to you? >> i'm sorry, i'm not following. >> well, i was trying to let the staff peek to you. but the bottom line is that there are security risks today according to you and the ranking member that this web site still has vulnerableties if discovered that would lead to perm information coming out. is that correct? in your let ere? mr. chairman, it may be. >> but end-to-end that apply in your web site.
>> they may, mr. chairman, but right now, my question to mr. chao had to do -- no, i i understand you -- >> mr. chairman, let's be fair. i'm trying to get the facts on the record and correct a deliberate smear against mr. chao because someone deliberately leaked something and distorted it. >> i appreciate your concern. >> i'm glad you do. >> mr. chao had the miter report. and it's that report that even redakted you didn't want released because it shows a road map to the vulnerableties to the site as it is today. na's yoush letter. mr. chairman, i tried to ledge slat reforms in it acquisition. that is an acknowledgment on my part that it's broken.
but i am concerned at a pat ern of calling people to give us testimony and cherry picking their testimony to make a political point that, frankly, it does not serve this exit tee well in terms of its oversight role and does damage to good public service acquisition. mr. chairman, the president -- i'm quoting from the chuck todd interview -- and definitive health secretary argued that the web site bugs aren't necessarily her fault. kathleen sebelius doesn't write code. she wasn't our it person. who is the it person? who's the person in charge?
who's the person responsible? who's the one who signed off on this before it went public? >> the person that's responsible is our administrator. >> and did she base her decisions on the memo you sent her on the 27th? is that right? i mean, the president talked about it person. who is the it person? is that mr. van runkle? is that mr. park? is it mr. chao? which of you is that person? stwl i don't know. i don't know. i didn't speak to the president. i don't know what the president was referring to. >> let me start with this slide c-3, if i could. and this is the report that the final report came out october 13th, after october first. minor was unable to accomplish the integrity of the exchange system in full.
doesn't that raise concerns? did you know about this before october 13th? >> i think that's taken out of context. >> i say it's faken out of context because there's still quite a few wrinkles. >> did you know the results of the mie noer testing before october first? >> i haven't seen this document. >> well, you got the fancy title. you're the chief information officer of the yiegts of america. that's a pretty big titlement and you didn't know about this? the biggest domestic policy program web site in the history of this country ever is launched and you didn't know about this? >> sir, i haven't seen this document. >> well,that scares us. mr. park, you're supposed to be the guy who's going to solve everything. you're clark kent coming out of the phone booth here. debt you know about this before october 1st?
>> i did not. >> would you like me to explain why -- >> i would like someone to tell me why you didn't know that testing wasn't done -- >> it's not about not knowing. it's that,fr example, the first payment to the insurance companies, the issuers are not going to occur until siem in the first part of january. we are still building the system. we are still building parts of the system to calculate payment to collect the enrollment data from all of the marketplaces. >> so there's more systems to be built. so we can expect more problems in the future to add to the problems we've already seen sh. >> skoourt testing is on going. why didn't you delay this? some of your testimony said we hope that it would work when we presented it to the white house.
why didn't you delay this? mr. chao, why wasn't it delayed? >> that's my decision to make. this, to me, is the thing. the chief technology people don't know. october first, is that a date that's in the law? it's not. let me cite you this here. i know i've got a minute. but the washington post art kal is important. david cuttler sent a memo to the white house and says you know want, don't keep the political people in the white house in charge. bring in outside people. larry summers agreed with that assessment. but the president says no, we're going to keep nancy in charge of this. and in your testimony, you said this. get the system up by october 1st. correct? >> correct.
>> why? >> i didn't ask why. >> and what i'm suggesting is the folks at the white house knew this thing had problems. evidence by the testing that wasn't done end-to-end. based for political reasons, they picked this date. so for political reasons, they had to adhere to this date. and the end result is americans' personal investigation is put at risk. it's about a long chain ochl systems that need to be built. >> mr. chairman, i've got two seconds. let me just finish with this. we have asked, you and i have asked to come in front of this committee next week. and the letter we got back yesterday was they're not going do come. they're the ones ultimately
responsible for putting americans at ritzing. >> there were all of these questionings and you seemed to have an answer that you wanted to give on this end-to-end that's been done. >> i would reiterate the point that the security testing was done early. what is being done now and how adequate is that to date? >> thank you. mr. davis? >> thank you. thank you very much, mr. chairman. mr. chairman, there's been a lot of information over the past several weeks regarding the security oaf healthcare.gov and whether consumers who use the system are at risk. i'd like to hear from the w witnesses about this matter and separate fact from fiction.
requires anyonen sis to protect information systems. it specifically requires an authorized official to sign off before an agency begins operating a system. in the case of healthcare.gov, we have a memo thavs signed on september 27, 2013, entitled and i quote federally facilitated marketplace end of quote. this memo says that the security con track for, again, quote has not been anyone to test all of the security controls in one complete version of the system. .
mr. chao, can you explain how cms tested components of a system for security risks? >> in most large it projects that require several what we call environments that are used to move from a developer's machine in writing code to test that local lead and to put it into a larger environment to test with other code. and you go through this plo cro of constructing the system. i think what the statement reflects is that in any situation similar to the marketplace systems, security people have to test when they can and when they have a window. i mentioned there's a compressed time line.
that affords some ability for security testing to occur as the software is being developed through its life psych. by the end of three cycles to go live on october first. there are, as i mentioned earlier, other system functions that are meant to be built and will continue to have security testing constructed.
>> do you know of any other systems? >> i think there's a slight arch in the wording of that. i think every system needs to have testing. toegs is an on going part of the process. when we are read y for a delivey date, we fully test them. we do not have to make palt on october 1st, that is then tested at a later date when that
function is ready and needed in order to go into operation. so it's an it iterative, on goi process. g has a security team been established? >> yes. >> has cms been performing weekly testing? >> i thank the gentleman for yielding back. >> i thank you all for being here. since the end of august, how many times have you personally met with secretary cevelius? gli'm not sure. probably once or twice. >> and when was the last time you met with the secretary? >> i believe that it was during the shutdown the secretary had regular meetings with senior leadership. >> so you met one time in october? >> i believe so.
>> so you met one time with the -- you're the chief information officer and you met one time in october with the secretary. my understanding is you engaged a hacker to look at healthcare.gov, correct? >> we engaged an ethical hacker. >> and when was this? >> it was during the shutdown. he's actually based in atlanta and spent a couple days. >> and then he gave you a report. how many serious problems did he find? >> i don't know if i'd call them serious. i think that there were
something like seven to ten items. >> what percentage of those have been fully rectified? >> i turn those over to cms for their review. some actually weren't percentage issues. >> you have no idea what was rectified? >> i believe cms got back to my staff last week and said the majority of those had been remediated. >> it's not a hundred percent. >> i don't believe it's a hundred yet, no. >> so you shared that with cmsment did you share that with the secretary? >> i have not. >> you're the chief information officer for the hemt and huchl services -- >> it's a fairly technical item. . >> but it's not safe and secure. you get a hacker who, in a
couple days, finds ten or so problems and challenges. it's that easy to get in and hack if information, that's the concern. mr. powder, is this ready? is it -- is the siet, in your opinion, currently, safe as an online banking site? >> i woiuld have to look and assess the security. all of that stuff that miter did is preliminary.
is there anything in that memo that needs to be redacted? >> i would have to review it. >> okay. it's in the record now. by close of this hearing, is there if there's something that needs to beredacted, i need to know. >> and i just wanted to make sure that there was no sensitive information. >> well, that's the problem. that -- >> i'm just trying to obey if law. >> this thing is already in the record. if we choose to redakt
something, the question is is that there are numerous things that give us sitings of lines in september 3rd that clearly, this thing wasn't ready for security in september 3rd. and when our people questioned you about september 27th and there was no end-to-end and security concerns, you want to say you were taken out of context. but both september 3rd and september 27th, what we find is there was no end-to-end testing. any point of vulnerability is a point to access. anything that can reach into the data base, in fact, could be a significant security risk and has nothing to do with whether or not a module is about shopping. isn't that true? >> that's correct. >> okay. yield back. and at this point, i recognize the government from tennessee, mr. cooper next.